My granddaughter was here this afternoon with a friend and they spent time on the computer of course. Somewhere along the way they picked up either a true virus or something disguising itself as one.

I can access the internet, but it won't allow me to activate any programs. I was going to download and run Adaware, but it won't allow the executable to run.

If I restore to an earlier point will that work?

No. Restoring only restores system settings it won't get rid of any files.

Have you tried running a scan in safe mode?

Edit: Apologies if this is patronising, I am unaware of your level of knowledge!

Oh man that's dreadful! Can you run your anti-virus program?

Dang, sorry to hear that Ed! That is the main reason none of my family touch my PC. I got an Xbox 360 for my nephews, but they get bored with that and want to surf the web, not on this machine, I've seen how badly they treat their computers, LOL.

When I run the antivirus scan it says there's nothing there. I've checked all the firewall settings, defender, etc. everything is up and running.

I have an icon that says it's "Anti Virus Live" if I try to close it out it pops up with a scan in progress and appears to be locating virus threats. If I tell it to correct them, it says I'll have to purchase the license first (of course). I'm not sure it's a full blown virus, but a very annoying malware that has embedded itself.

If you can't install some anti-virus, try an online one that runs directly from your browser

This might be useful http://www.bitdefender.com/scanner/online/free.html

When you try to run a executable what type of error does it give you. A screen shot may be needed. What do you mean by activate? Do you mean run an executable?

Check your browser history and see what sites they attended, provide a list and maybe we can help you.

Disregard you answered while I posted.

Just to double check, you are aware that Anti-virus Live IS the malware?

Your post doesn't make that completely clear!

It looks like this I imagine;

http://www.2-spyware.com/images/data/antiviruslive.jpg

Given your AV didn't find anything, going back to an earlier restore point might work if all that's happened is a setting change somewhere

A google search produced this:

Don't go to that site. will find a more trust worthy one.

Just to double check, you are aware that Anti-virus Live IS the malware?

Your post doesn't make that completely clear!

It looks like this I imagine;

http://www.2-spyware.com/images/data/antiviruslive.jpg

On the computer in question make sure you're not connected to the internet. It messes with your internet security settings.
That's the one!!

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-live

Have fun.

OOPS! I didn't read far enough down.

This sounds like a bogus anti-virus trojan. any program that forces you to pay to fix a computer it broke, is BAD.

If you have another computer Goggle the name of that program and see if there is a way to remove it.

A friend of mine got something like that. We found a fix online and he had to boot in Safe mode to remove the malware.

I had that or something similar and I think I used Malwarebytes to cure it in safe mode.

This is from Symantec:

Antivirus Live Removal Step By Step:
1. Kill processes: (random)sysguard.exe
2. Delete registry keys: (always backup first)
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\I… Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\W… Settings "ProxyOverride" = ""
HKEY_CURRENT_USER\Software\Microsoft\W… Settings "ProxyServer" = "http=127.0.0.1:5555"
HKEY_CURRENT_USER\Software\Microsoft\W… "LowRiskFileTypes" = ".exe"
HKEY_CURRENT_USER\Software\Microsoft\W… "SaveZoneInformation" = "1"
HKEY_CURRENT_USER\Software\Microsoft\W… "(random)"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\… "(random)"
3. Delete files:
%UserProfile%\Local Settings\Application Data\(random)\(random)sysguard.exe
4. Delete folders:
%UserProfile%\Local Settings\Application Data\(random)\
Once I finished the above steps, I used Spybot to scan again. I was able to completely remove the Antivirus Live trojan.

This is from Symantec:

Antivirus Live Removal Step By Step:
1. Kill processes: (random)sysguard.exe
2. Delete registry keys: (always backup first)
HKEY_CURRENT_USER\Software\AvScan
HKEY_CURRENT_USER\Software\Microsoft\I… Explorer\Download "RunInvalidSignatures" = "1"
HKEY_CURRENT_USER\Software\Microsoft\W… Settings "ProxyOverride" = ""
HKEY_CURRENT_USER\Software\Microsoft\W… Settings "ProxyServer" = "http=127.0.0.1:5555"
HKEY_CURRENT_USER\Software\Microsoft\W… "LowRiskFileTypes" = ".exe"
HKEY_CURRENT_USER\Software\Microsoft\W… "SaveZoneInformation" = "1"
HKEY_CURRENT_USER\Software\Microsoft\W… "(random)"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\… "(random)"
3. Delete files:
%UserProfile%\Local Settings\Application Data\(random)\(random)sysguard.exe
4. Delete folders:
%UserProfile%\Local Settings\Application Data\(random)\
Once I finished the above steps, I used Spybot to scan again. I was able to completely remove the Antivirus Live trojan.

I'd be slightly hesitant messing about in the registry.

As I said before this seems a fairly comprehensive process but there is less scope for error. In fact there is just about no scope for error;

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-live

You would think in this day and age with all the reviews of software/malware etc nOObs would finally get the point!

I see so many people getting nailed by this crap, and all I can say is do your homework and be skeptical of any program unless researched thoroughly! :mixedsmi:

Not attacking you falcon, just stating the obvious.

http://www.bleepingcomputer.com/virus-removal/remove-antivirus-live

Have fun.

That site and the site I posted, required a download of an app called rkill. I would stay away from it, can't trust them you know.

You would think in this day and age with all the reviews of software/malware etc nOObs would finally get the point!

I see so many people getting nailed by this crap, and all I can say is do your homework and be skeptical of any program unless researched thoroughly! :mixedsmi:

That's all good and well, and my main computer is a fortress, but still bits and bobs get through.

We had a REALLY nasty one the other week.

There wasn't a scan on the internet that could touch it. My poor brother spent hours in the registry getting rid of the thing. It cross installed itself on two different user accounts. When you got rid of one and switched to the other user account, the infected account would reinstall it on the other one!

You would think in this day and age with all the reviews of software/malware etc nOObs would finally get the point!

I see so many people getting nailed by this crap, and all I can say is do your homework and be skeptical of any program unless researched thoroughly! :mixedsmi:

Is he calling your grandkids "nOObs"?

Good luck Ed, I hope you get it fixed!

Sorry to hear that Falcon. I empathise with you as the same exact thing happened to me this past fall. I picked up the same "anti-virus" malware when I dumped Norton, and before I could install a new program. After my computer got infected, I could not install a new anti-virus program. I tried everything to no avail. After much frustration, I cleaned the disk and re-installed Windows, and of course had to re-install FSX, which is no small task with all the stuff I've got added. I sincerely hope that you don't have to resort to the same solution that I did, and can find a way to get rid of this malicious malware some other way. If you do, please post the remedy that you used, so that others can take advantage of it... This is unfortunately a very common computer infection. Good luck!

Is he calling your grandkids "nOObs"?

nOObs rhymes with bOObs

Well, the rkill program is useless, the malware won't allow it to do anything. I've spent a fair enough time in the registry to feel comfortable, so. . . .I'm going in.

Oh, and DX-FMJ. . .I can do without you "stating the obvious" right now. Thank you!

Well, the rkill program is useless, the malware won't allow it to do anything. I've spent a fair enough time in the registry to feel comfortable, so. . . .I'm going in.

Oh, and DX-FMJ. . .I can do without you "stating the obvious" right now. Thank you!

Take it nice and slow, and double check those registry entries before you click delete.

That site and the site I posted, required a download of an app called rkill. I would stay away from it, can't trust them you know.

If you have a look around the net Rkill seems to be perfectly trusted and effective. Either way would most likely work, it's just up to Falcon what he fancies doing. Personally I'd be happier keeping well away from the registry.

Falcon if you do change the registry make sure you backup EVERYTHING!

Nope. . .the regedit is an exe file. . .it stops it from running as well. The thing is, I can download any scanner, repair program I want from the internet, but it won't let anything run. Somehow I have to be able to do this either by locating the offending files and removing them or reformatting and starting all over again.

The one thing I could suggest is to try running rKill/Regedit the instant you have it availble in your programs bar.

In fact create a shortcut on the desctop and see if you can start anything JUST after powering on, before the malware has a chance to get itself sorted. Worked for me once, you never know.

Well, unless something just suddenly works, I think I'm screwed. Even restoring is not an option, as that is also an application and as such is being blocked.:isadizzy:

Install the program and scan in safe mode..i have to do it all the time

falcon may I suggest some software for you?

ESET Smart Security 4 and ESET NOD32 Antivirus 4
http://www.eset.com/

Malwarebytes anti-malware
http://www.malwarebytes.org/mbam.php

Spybot-S&D + plus tea timer registry protection
http://www.safer-networking.org/en/index.html

TuneUp Utilities - 2010
http://www.tune-up.com/products/tuneup-utilities/

I live and die by them and can vouche for my company running these with great success, most going on 4 years!

:ernae:

Nah, there'll be an option.

Restoring wouldn't do anything, it's a bit clever for that.

Go onto www.geekstogo.com (http://www.sim-outhouse.com/sohforums/www.geekstogo.co.uk) and let your problems be known there. The people in the forums (especially the moderators) are professional and will have you sorted by going through your log files etc.

falcon may I suggest some software for you?

ESET Smart Security 4 and ESET NOD32 Antivirus 4
http://www.eset.com/

Malwarebytes anti-malware
http://www.malwarebytes.org/mbam.php

Spybot-S&D + plus tea timer registry protection
http://www.safer-networking.org/en/index.html

TuneUp Utilities - 2010
http://www.tune-up.com/products/tuneup-utilities/

I live and die by them and can vouche for my company running these with great success, some going on 4 years!

:ernae:

They'll be great when the virus is gone but at the minute he can't run any of them :isadizzy:

Ed,
If you're still up for trying solutions, try installing this in safe mode http://www.malwarebytes.org/ this is what I used when I had the same problem. It has to be in safe mode to prevent the bogus anti-virus from running.

Ed, I think you may find this to be of interest...

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/resolved-hjt-threads/421736-bogus-anti-virus-software-automatic-updates-disabled.html

Ed,
If you're still up for trying solutions, try installing this in safe mode http://www.malwarebytes.org/ this is what I used when I had the same problem. It has to be in safe mode to prevent the bogus anti-virus from running.
That did it Roger! I'm currently running ad-aware in the background, but running Malwarebytes in safe mode got it. Took about an hour or so and around 700,000 files, but it did appear to remove the offending files.

Man, that's bad news. Knowing there's nothing seriously wrong with the system, but at the same time, unable to be able to get to the dang files to delete them. That sucks, lol.

Thanks to everyone for rushing in as soon as I posted. I appreciate everyone's assistance and suggestions. Looks like we got it though!!:salute::salute:

Glad to hear it falcon, now go get those grandkids a cheapo netbook.

My MO is that no one runs as an admin user on my computers. Not my wife and not even the IT department on my company notebook. I simply locked the IT people out from the company notebook and firewalled the whole thing. This way, I have only myself to blame if I still manage to let a trojan in.

I have come across this sort of thing...multiple times. Here is the key...
You are doing your thing on the net. You go to a site and suddenly a window pops up informing you that your computer is totally hosed with viruses.

DON"T CLICK ANYTHING IN THE WINDOW!

Ctrl-Alt-Delete into the task manager and close anything you have open. Click anywhere on that window and it's game over. Twice I ran into this on my rig. The first time I tried to close the window by clicking where you would normally click. When the hard drive lit up I killed the power to the rig. I got lucky and all was well. The second time I used the method described above with success. That was something put out from the IT people where I work.

My wife has managed to get a couple of these on her computer, and I have managed to beat both of them, but it's a pain in the keyster to do. :isadizzy:

Yep, thanks Robert. On average I would guess that most people would react similarly. First reaction is to close the window, especially when it is obviously something you don't recognize. The longer you mess with it the deeper it sets itself into your file structure. . .and then, like this one did, It knocks out any attempt to run a program.

Well, I'll be running scans for a few days now to ensure that everything is out. . .even to the extent of doing a search through the registry.:salute:

The worst thing is that they do wack your regestry, If you had many of them , you might consider a fresh OS install... Problems can pop up later from the corruption..

Ed,
If you're still up for trying solutions, try installing this in safe mode http://www.malwarebytes.org/ this is what I used when I had the same problem. It has to be in safe mode to prevent the bogus anti-virus from running.


falcon409 : I also used this same one Roger did and it worked . I had this exact virus luckily on an older PC and I know how frustrating it is when you can't even run an exe file . Maybe as luck has it the idiot who authored this virus will get his day in court but as we all know that is a slim possibility . Anyway I'm glad everything turned out for you and your up and running again .

Rich

Glad you got it sorted! I hate those programs!

As mentioned earlier, the problem has been solved and as is always the case, SOH came to the rescue in a big way. Thanks to everyone for their suggestions and encouragement during this little "glitch" in an otherwise normal day for me. Phew. . .that was close. . .but we got it done. Thanks all!!

Thread closed.:salute: